From e032cf239ff7cf74912ec6308527846b69de4621 Mon Sep 17 00:00:00 2001
From: Brendan Shephard <bshephar@redhat.com>
Date: Sun, 1 Dec 2024 09:15:29 +1000
Subject: [PATCH] Use PAM for sshd Motd

This change switches the method we use to display the motd.
Previously, we used PrintMotd in the sshd config. RHEL9 configures
pam_motd.so in PAM, and as such the motd will be duplicated when
using PrintMotd. To avoid this, we can configure the motd via PAM.

Related: https://bugzilla.redhat.com/show_bug.cgi?id=2329414
Signed-off-by: Brendan Shephard <bshephar@redhat.com>
---
 roles/edpm_sshd/tasks/configure.yml | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/roles/edpm_sshd/tasks/configure.yml b/roles/edpm_sshd/tasks/configure.yml
index a8755f10a..48219adaf 100644
--- a/roles/edpm_sshd/tasks/configure.yml
+++ b/roles/edpm_sshd/tasks/configure.yml
@@ -74,11 +74,16 @@
          {% if edpm_sshd_banner_enabled %}
          {% set _ = edpm_sshd_server_options.__setitem__('Banner', '/etc/issue') %}
          {% endif %}
-         {% if edpm_sshd_motd_enabled %}
-         {% set _ = edpm_sshd_server_options.__setitem__('PrintMotd', 'yes') %}
-         {% endif %}
          {{ edpm_sshd_server_options }}
 
+    - name: Set sshd motd when enabled
+      ansible.builtin.lineinfile:
+        path: /etc/pam.d/sshd
+        regexp: "^session.*optional.*pam_motd.so"
+        line: "session    optional     pam_motd.so motd=/etc/motd"
+        state: present
+      when: edpm_sshd_motd_enabled
+
     - name: Adjust ssh server configuration
       become: true
       ansible.builtin.template: